Skip to content

Commit f7b8795

Browse files
ryanwsmith-awsryanwsmith-aws
authored
Merge pull request #15 from awslabs/rws_dev_amazon_security_lake_ga_updates
Amazon Security Lake GA Update
2 parents c40fc72 + 12b63eb commit f7b8795

9 files changed

+784
-363
lines changed

AWSSecurityAnalyticsBootstrap/amazon_security_lake_queries/README.md

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,18 +9,24 @@ These queries were originally developed for the AWS Customer Incident Response T
99
AWS Service Log | Demo Query Link
1010
------|------|
1111
All Queries Combined | [all demo queries](./ocsf/amazon_security_lake_queries_all.md)
12-
[AWS CloudTrail](https://docs.aws.amazon.com/cloudtrail/index.html) | [cloudtrail demo queries](./ocsf/amazon_security_lake_queries_cloudtrail.md)
13-
[Amazon Virtual Private Cloud (VPC) Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) | [vpc flow demo queries](./ocsf/amazon_security_lake_queries_vpcflow.md)
14-
[Amazon Route 53 DNS resolver query logs](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs.html) | [route 53 dns demo queries](./ocsf/amazon_security_lake_queries_route53.md)
12+
[AWS CloudTrail Management Events](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html#cloudtrail-event-logs) | [cloudtrail management events demo queries](./ocsf/amazon_security_lake_queries_cloudtrail_management.md)
13+
[AWS CloudTrail Lambda Data Events](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html#cloudtrail-event-logs) | [cloudtrail lambda data events demo queries](./ocsf/amazon_security_lake_queries_cloudtrail_lambda.md)
14+
[Amazon Virtual Private Cloud (VPC) Flow Logs](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html#vpc-flow-logs) | [vpc flow demo queries](./ocsf/amazon_security_lake_queries_vpcflow.md)
15+
[Amazon Route 53 DNS resolver query logs](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html#route-53-logs) | [route 53 dns demo queries](./ocsf/amazon_security_lake_queries_route53.md)
16+
[Security Hub Findings](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html#security-hub-findings) | [security hub event demo queries](./ocsf/amazon_security_lake_queries_securityhub.md)
1517

1618
## Acknowledgment
1719

1820
Many thanks to support from:
1921
- AWS Customer Incident Response Team
2022
- Amazon Security Lake Product Team
23+
- Anna McAbee
24+
- Charles Roberts
25+
- Marc Luescher
2126
- Ross Warren
2227
- Josh Pavel
2328

29+
2430
## License
2531

2632
This project is licensed under the Apache-2.0 License.

AWSSecurityAnalyticsBootstrap/amazon_security_lake_queries/ocsf/amazon_security_lake_queries_all.md

Lines changed: 457 additions & 154 deletions
Large diffs are not rendered by default.

AWSSecurityAnalyticsBootstrap/amazon_security_lake_queries/ocsf/amazon_security_lake_queries_cloudtrail_lambda.md

Lines changed: 97 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,97 @@
1+
<!--
2+
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3+
SPDX-License-Identifier: Apache-2.0
4+
-->
5+
6+
# Amazon Security Lake Example Queries
7+
8+
## Cloudtrail Lambda Data Events
9+
> **NOTE:** The example queries in this file are intended to query *Cloudtrail Lambda data events*. CloudTrail management events, S3 data events, and Lambda data events are three separate sources in Security Lake. For more information about enabling Cloudtrail sources in Amazon Security Lake please review the official [documentation](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html).
10+
11+
### CLOUDTRAIL LAMBDA DATA EVENTS PARTITION TESTS
12+
13+
**Query:** Preview first 10 rows with all fields, quick way to verify everything is setup correctly
14+
15+
```
16+
SELECT * FROM "amazon_security_lake_glue_db_us_east_1"."amazon_security_lake_table_us_east_1_lambda_execution_1_0"
17+
LIMIT 10;
18+
```
19+
20+
### CLOUDTRAIL LAMBDA PARTITION TESTS
21+
22+
> **NOTE:** if there are no partition constraints (accountid, region, or eventday) then by default ALL data will be scanned this could lead to costly query, always consider using at least one partition constraint.
23+
>
24+
> Note that this is the case even if you have other constraints in a query (e.g. sourceipaddress = '192.0.2.1'), only constraints using partition fields (eventday, region, accountid) will limit the amount of data scanned.
25+
26+
**Query:** Preview first 10 rows with all fields, limited to a single account
27+
28+
```
29+
SELECT * FROM "amazon_security_lake_glue_db_us_east_1"."amazon_security_lake_table_us_east_1_lambda_execution_1_0"
30+
WHERE accountid = '111122223333'
31+
LIMIT 10;
32+
```
33+
**Query:** Preview first 10 rows with all fields, limited to multiple accounts
34+
35+
```
36+
SELECT * FROM "amazon_security_lake_glue_db_us_east_1"."amazon_security_lake_table_us_east_1_lambda_execution_1_0"
37+
WHERE accountid in ('111122223333','444455556666','123456789012')
38+
LIMIT 10;
39+
```
40+
41+
**Query:** Preview first 10 rows with all fields, limited to a single region
42+
43+
```
44+
SELECT * FROM "amazon_security_lake_glue_db_us_east_1"."amazon_security_lake_table_us_east_1_lambda_execution_1_0"
45+
WHERE region = 'us-east-1'
46+
LIMIT 10;
47+
```
48+
49+
**Query:** Preview first 10 rows with all fields, limited to multiple regions
50+
51+
```
52+
SELECT * FROM "amazon_security_lake_glue_db_us_east_1"."amazon_security_lake_table_us_east_1_lambda_execution_1_0"
53+
WHERE region in ('us-east-1','us-east-2','us-west-2')
54+
LIMIT 10;
55+
```
56+
57+
**Query:** preview first 10 rows with all fields, limited to a certain date range
58+
> **NOTE:** eventday format is 'YYYYMMDD' as a string
59+
60+
```
61+
SELECT * FROM "amazon_security_lake_glue_db_us_east_1"."amazon_security_lake_table_us_east_1_lambda_execution_1_0"
62+
WHERE eventday >= '20230530'
63+
AND eventday <= '20230631'
64+
LIMIT 10;
65+
```
66+
67+
**Query:** Preview first 10 rows with all fields, limited to the past 30 days (relative)
68+
69+
```
70+
SELECT * FROM "amazon_security_lake_glue_db_us_east_1"."amazon_security_lake_table_us_east_1_lambda_execution_1_0"
71+
WHERE eventday >= date_format(date_add('day',-30,current_timestamp), '%Y%m%d')
72+
LIMIT 10;
73+
```
74+
75+
**Query:** Preview first 10 rows with all fields, limited by a combination of partition constraints
76+
> **NOTE:** narrowing the scope of the query as much as possible will improve performance and minimize cost
77+
78+
```
79+
SELECT * FROM "amazon_security_lake_glue_db_us_east_1"."amazon_security_lake_table_us_east_1_lambda_execution_1_0"
80+
WHERE eventday >= '20230530'
81+
AND eventday <= '20230631'
82+
AND accountid = '111122223333'
83+
AND region in ('us-east-1','us-east-2','us-west-2', 'us-west-2')
84+
LIMIT 10;
85+
```
86+
87+
### CLOUDTRAIL LAMBDA DATA EVENT ANALYSIS EXAMPLES
88+
89+
**Query:** Query all Cloudtrail Lambda data events for a specific Lambda function named 'MyLambdaFunction'
90+
```
91+
SELECT * FROM "amazon_security_lake_glue_db_us_east_1"."amazon_security_lake_table_us_east_1_lambda_execution_1_0"
92+
WHERE any_match(transform(resources, x -> x.uid), y -> y like '%MyLambdaFunction%')
93+
AND eventday >= '20230530'
94+
AND eventday <= '20230631'
95+
AND accountid = '111122223333'
96+
AND region in ('us-east-1','us-east-2','us-west-2', 'us-west-2');
97+
```

0 commit comments

Comments
 (0)